Carakas

**Name of the Vulnerable Software and Affected Versions** Fork CMS versions prior to 5.11.1 **Description** The issue is related to stored Cross-site Scripting (XSS) in the GitHub repository forkcms/forkcms. When uploading a new module, the description of the module can contain JavaScript code, which may be executed after uploading the new module and viewing the `Details` page. This allows for the potential execution of malicious scripts. **Recommendations** For Fork CMS versions prior to 5.11.1, update to version 5.11.1 or later to resolve the issue. As a temporary workaround, consider restricting the ability to upload new modules or limiting the use of JavaScript code in module descriptions until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Fork CMS version 5.8.2 **Description** The issue allows remote attackers to inject arbitrary Javascript code via the `navigation title` parameter and the `title` parameter in the "/private/en/pages/add" endpoint. This enables attackers to execute malicious scripts on the client-side. **Recommendations** For Fork CMS version 5.8.2, consider disabling the `navigation title` and `title` parameters in the "/private/en/pages/add" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the `navigation title` and `title` parameters in the affected endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Fork-CMS versions prior to 5.8.2 **Description** The issue allows remote attackers to hijack the authentication of logged administrators due to cross-site request forgery (CSRF). **Recommendations** For versions prior to 5.8.2, update to version 5.8.2 or later to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Fork versions prior to 5.8.3 Description: The issue allows remote attackers to perform unauthorized actions as an administrator, including approving user comments, restoring deleted users, installing or running modules, resetting analytics, pinging the mailmotor API, uploading to the media library, and exporting locale. Recommendations: For versions prior to 5.8.3, update to version 5.8.3 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Fork versions prior to 5.8.3 **Description** The issue allows for XSS attacks via the `navigation title` or `title` variables. This can lead to malicious script execution. **Recommendations** For versions prior to 5.8.3, update to version 5.8.3 or later to resolve the issue. As a temporary workaround, consider restricting input for the `navigation title` and `title` variables to minimize the risk of XSS attacks.